Top 10 Nastiest Ransomware Attacks of 2017

We’re revealing the top 10 nastiest ransomware attacks from the past year. NotPetya came in on our list as the most destructive ransomware attack of 2017, followed closely by WannaCry and Locky in the number two and three spots, respectively. NotPetya took number one because of its intent to damage a country’s infrastructure. Unlike most ransomware attacks, NotPetya’s code wasn’t designed to extort money from its victims, but to destroy everything in its path.

While NotPetya and WannaCry were first uncovered in 2017, the other ransomware attacks on our top 10 list made their debuts last year. These attacks either continued into 2017 or returned with a vengeance.

This top 10 list underscores the reality of our increasingly connected world—cybercriminals will continue to develop new infections and will capitalize on reliable, successful attack methods.

DESCRIPTION

Starting as a fake Ukrainian tax software update, this ransomware is a variant of an older attack dubbed Petya, except this version uses the same exploit behind WannaCry. Once the software update was applied to devices, hackers used the exploits to spread laterally through networks like a worm. The code used to build NotPetya was not designed to extort money from its victims, but rather to destroy everything it its path. Inception: June 2017; Attack vector: Supply Chain ME.doc and Eternal Blue & Eternal Romance Exploit

DAMAGE REPORT

The ransom originally asked for about $300 in bitcoin, but the system that collected money from victims for decryption keys quickly disintegrated. NotPetya was designed to do as much damage to the Ukrainian infrastructure as possible. Not only did it shut down Ukrainian power plants, banking services, and supermarkets, but NotPetya also infected hundreds of thousands of computers in over 100 countries. Additionally, the ransomware shut down Maersk, the largest shipping container vessel in the world, along with FedEx (causing a reported $300 million in damage). Destruction Zone: 100+ countries

DESCRIPTION

The attackers behind WannaCry used the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers. Initially, the malware propagated via spam emails—including fake invoices, job offers, and other traps—which contained a .zip file that initiated the WannaCry infection. Eternal Blue exploits an older flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution. This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy operating systems like XP. Inception: First appeared in March 2017 but spread in May 2017; Attack vector: Eternal Blue Server Message Block (SMB) Exploit Kit

DAMAGE REPORT

WannaCry was the very first ransomware to take the whole world by storm, infecting several hundred thousand people in a single day. Some reports say the damage could be up to $4 billion. Luckilym a security researcher in England managed to discover a kill switch domain, which was all anyone needed to disable it. Further analysis shows that the kill switch domain has received over 10 million different connections since it was made available, suggesting WannaCry could have been even more destructive. Destruction Zone: 150+ countries

DESCRIPTION

The most popular ransomware of 2016 is still alive and well in 2017. New variants of Locky—Diablo and Lukitus—surfaced this past August using the same the initial phishing email attack vector. The emails contain a zipped attachment with malicious JavaScript that downloads the Locky payload. Most of the emails pose as fake invoices from companies such as Amazon Marketplace and Herbalife. More recently, the ransomware has been spotted using an email distribution campaign with Game of Thrones references in its scripting variables. Inception: February 2016; Attack vector: Spam Email

DAMAGE REPORT

Crowned the king of spam emails, Locky can reach millions of users per day in campaigns. One of the first organizations hit was the Hollywood Presbyterian Medical Center in Los Angeles. The hospital paid the ransom demand of 40 bitcoins (approximately $17,000 at the time) to regain access to their systems. That’s a huge payday for a single attack. Other individual reports reveal the requested amount is typically around 0.5 to 1 bitcoin ($400 to $800). Destruction Zone: United States, United Kingdom, Ireland, Australia, New Zealand, Canada, China, Russia, Japan, Italy, Spain, France, Mexico, south Africa, Sweden, Costa Rica, Puerto Rico, Bulgaria, Serbia, Switzerland, Barbados, Turkey, India, Philippines, Malaysia, Saudi Arabia, Brazil, and more

DESCRIPTION

This attack is the ultimate form of Remote Desktop Protocol (RDP) compromise. RDP is one of the most common ways to deploy ransomware because cybercriminals can compromise administrator accounts and systems that control entire organizations. As CrySis encrypts a computer, it also removes all of the automatic backups, so users can’t use them to restore files. Inception: First detected in February 2016; took a few months to spread; Attack vector: Remote Desktop Protocol (RDP)

DESCRIPTION

Arriving via fake shipping invoice emails, Nemucod, once opened, downloads malware and encryption components stored on compromised websites. Nemucod would have been crowned most malicious spam email if Locky hadn’t reignited in August. Inception: Historically, the hackers behind Nemucod teamed up with Teslacrypt, which was huge in 2015 and 2016; in 2017, they made their own ransomware variant; Attack vector: Spam Email

DESCRIPTION

Like Locky, new variants of Jaff ransomware continue to be distributed. Jaff leverages phishing emails and bears characteristics associated with other successful malware. While Jaff may not have garnered the level of attention WannaCry received, the techniques used in its distribution put it in an exclusive club; one whose recent membership includes both Dridex and Locky. Inception: May 2017; Attack vector: Spam Email

DESCRIPTION

To distribute this ransomware, cybercriminals hack legitimate websites to add JavaScript code. Visitors to the sites receive a pop-up prompt to update their Chrome browsers, if they want to continue viewing the page. Downloading the "Chrome Font Pack" infects the users’ system. This attack is named after the Russian word for "spore." Inception: January 2017; Attack vector: Bogus Front Pack Update in a Browser Message

DESCRIPTION

Cerber has effectively utilized multiple attack vectors via RDP and spam emails. However, Cerber also distributes ransomware-as-a-service (RaaS). Through this “service,” cybercriminals package up ransomware and then give other criminals the tools to distribute as they see fit. The author of Cerber takes a 30% cut of the profits. Inception: March 2016; has been making several reappearances since its debut, most recently this October; Attack vector: Remote Desktop Protocol (RDP), Spam Email, RaaS

DAMAGE REPORT

One of the latest incarnations of Cerber will steal cryptocurrency and passwords from victims, providing an additional means of profit on top of the bitcoin ransom demands (between $300 and $600). Destruction Zone: United States, United Kingdom, Ireland, Canada, Singapore, South Africa, France, Italy, Japan, Chile, India, Australia, China, Germany, Malaysia, Greece, Sweden, Botswana, Turkey, Hungary, Spain, Norway, Serbia, and more

DESCRIPTION

CryptoMix is often distributed through RDP but also through exploit kits such as malvertising, in which victims click an infected ad to a hacked shopping site that attacks their device’s system. CryptoMix can also hide on flash drives, so if a user inserts a flash drive from an infected system into another, the infection spreads. Inception: March 2016; Attack vector: Remote Desktop Protocol (RDP) and Exploit Kit

DAMAGE REPORT

This ransomware is one of the few that doesn’t use payment portal on the dark web. Instead, users must wait for the cybercriminals to email them instructions, usually demanding a hefty Bitcoin ransom (5 bitcoin, or approximately $3,000). Destruction Zone: United States, United Kingdom, Ireland, New Zealand, Australia, Canada, Italy, Singapore, Turkey, Serbia, Greece, South Africa, India, Mexico, Chile, Ukraine, China, Germany, Malaysia, Japan, Sweden, Botswana, Spain, Hungary, Portugal, Norway, Iran, Russia, Israel, and more

DESCRIPTION

Jigsaw ransomware, named for the iconic character from the Saw film franchise, distributes via spam email and deletes a victim’s files every hour and each time the infection process starts until the ransom is paid. Inception: April 2016; Attack vector: Spam Email

About the Author

Senior Threat Research Analyst

Tyler Moffitt is a Senior Threat Research Analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.

Twitter Feed

Are your children prepared to protect their privacy? Join our discussion in the #Webroot Community around safe cyber habits for families and get free educational resources to teach #CyberSmart practices: https://t.co/24OL8gtapq #CyberAware

Cyber attackers generate $1.5 trillion in annual profit, which is about equal to the GDP of Russia. #AI and #machinelearning can protect your business from adding to that number. #MSP #smallbiz https://t.co/Eocm5o5T1A